Saucepan

User Tools

Site Tools

Trace: globalprotect edl user_id bgp
paloaltonetworks:configuration:vpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:configuration:vpn [2021/10/21 10:22] bstaffordpaloaltonetworks:configuration:vpn [2025/01/05 11:37] (current) – [VPN on PAN-OS] bstafford
Line 5: Line 5:
  
 AWS-GCM-128 with SHA-256 for best throughput (if we ignore SHA-1). (See [[https://layer77.net/2020/06/16/vpn-throughput-tests-palo-alto-vm-300-to-gcp/|this page]].) AWS-GCM-128 with SHA-256 for best throughput (if we ignore SHA-1). (See [[https://layer77.net/2020/06/16/vpn-throughput-tests-palo-alto-vm-300-to-gcp/|this page]].)
 +
 +
 +**MODP**
 +  * Diffie-Hellman Group 1 (768-bit)
 +  * Diffie-Hellman Group 2 (1024-bit)
 +  * Diffie-Hellman Group 5 (1536-bit)
 +  * Diffie-Hellman Group 14 (2048-bit)
 +  * Diffie-Hellman Group 15 (3072-bit)
 +
 +**ECP**
 +  * Diffie-Hellman Group 19 (256-bit random)
 +  * Diffie-Hellman Group 20 (384-bit random)
 +  * Diffie-Hellman Group 21 (521-bit random)
  
 ===== AWS ===== ===== AWS =====
Line 14: Line 27:
 <code>debug ike gateway gatewayname off</code> <code>debug ike gateway gatewayname off</code>
  
 +===== VPN Throughput =====
 +For VM firewalls, Bi-directional throughput for traffic across IPsec tunnel is limited to 600 Mbps. This limitation is due PAN-OS architecture where each IPsec tunnel session is processed by only one core and each core encapsulate a maximum of 300 Mbps of traffic and decapsulate another 300 Mbps of traffic combining to get a bidirectional throughput of 600 Mbps.
 +
 +More details in [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP8rCAG|this article]].
 +
 +<code>show session info | match Throughput</code>
paloaltonetworks/configuration/vpn.1634811732.txt.gz · Last modified: (external edit)